Ticket #362 (new defect)

Opened 12 years ago

Last modified 8 years ago

login intermittently fails if your .k5login isn't world-readable

Reported by: geofft Owned by:
Priority: trivial Milestone: Upstream Utopia
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

jbarnold, mitchb, and probably others I'm forgetting have run into the issue that occasionally they can't ssh in to machines if their .k5login is only readable once they acquire tickets and tokens.

While this is easy to work around (move .k5login to your Public and symlink it), the man page for pam_krb5 says in one section for an option we don't use, "Using this option requires that the user's .k5login file be readable at the time of authentication." I take this to mean that in normal operation, pam_krb5 shouldn't require this.

So there's an upstream bug, either with the code or the documentation (it should say that .k5login always needs to be world-readable).

Change History

comment:1 Changed 10 years ago by geofft

Apparently I never mentioned this on the bug -- achernya and I tracked this down in November to AFS leaking stat(2) and access(2) if ~/.k5login was brought in cache by a PAG with access to it, and returning EACCES otherwise, and Kerberos misinterpreting EACCES as equivalent to ENOENT, and therefore you can only log in if ~/.k5login isn't in cache. We reported this upstream but don't really have a good solution they're happy with.

If there's a way to run fs flush ~/.k5login at some point before krb5_kuserok runs, then that would solve ("solve") this issue by causing krb5_kuserok to think that non-world-readable .k5logins don't exist. I'm not sure if there's a place to put this hook, though; note that the PAM stack runs after krb5_kuserok from gssapi-with-mic. (We could run it early in the PAM stack before pam_krb5 runs, which would cause you to get prompted for a keyboard-interactive Kerberos password after gssapi-with-mic fails, which is suboptimal but at least you could then log in at all.)

Also, note that the solution most amenable to the upstreams may involve ssh always failing, which

comment:2 Changed 10 years ago by geofft

  • Summary changed from ssh intermittently fails if your .k5login isn't world-readable to login intermittently fails if your .k5login isn't world-readable

Mitch also reports that this affects local logins, which is entirely unsurprising given that pam_krb5 calls krb5_kuserok just as much as SSH's GSSAPI implementation, so I'm changing the title.

comment:3 Changed 8 years ago by achernya

 Kerberos 32860 has more text on this issue.

Note: See TracTickets for help on using tickets.